Annual Computer Security Applications Conference (ACSAC) 2013

Full Program »

Tracer FIRE

Monday, 9 December 2013
08:30 - 12:00

DH Holmes A

Instructors: Kevin Nauer, Ben Anderson, Theodore Reed, Sandia National Labs

Tracer FIRE, (Forensic and Incident Response Exercise), is a program developed by Sandia and Los Alamos National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas, and to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the Department of Energy and other U.S. government agencies have been trained.

In Tracer FIRE, attendees will learn about a variety of topics in the areas of incident response, forensic investigation and analysis, file systems, memory layout and malware analysis. Tracer FIRE includes a mixture of lecture, hands-on training, and competitive exercises designed to provide the attendees with the knowledge and practice to apply what they have learned in a real-world situation.

This year, Tracer FIRE has been updated and expanded in two important ways. First, there is a greater focus on using open source or other free software so that students can continue to learn on their own following the tutorial. Second, Tracer FIRE has been updated to include modules on mobile device forensics and malware targeted at mobile devices.

Both days of this professional development course are split into two sections. The morning, classroom portion, will consist of both lecture and hands-on training with forensic analysis tools. The training will focus on defensive forensics analysis by training the participants using adversarial-based analogies. By approaching forensic analysis from the mind of an advisory, the incident responder will gain better situational awareness.

In the afternoon, attendees will be divided into teams and will participate in a competition that will require them to apply what they have learned during the classroom training. During this competition, the teams will solve cyber security challenges involving a range of forensic analysis techniques. This exercise allows attendees to practice maintaining network situational awareness, use of forensic tools, and hone their teaming and communication skills. In addition, students will be required to present their understanding of the overall scenario, identifying key actors, events and actions to demonstrate their ability to understand the attacker's actions.

Note: Student scholarships are available to support undergraduate and graduate student participation in Tracer FIRE - please see our Student Conferenceships page.

Day 1 Outline

  1. Rapid Response Cyber Forensics. The need for "cyber triage". Tools and protocols used by CSIR teams to discover events. Methods to prioritize actionable events. Importance of updating defensive systems.

  2. Introduction to Host Forensics. Acquiring a remote forensic image. Difference between logical and physical images. Basic examination of forensic image. General functionality.

  3. Disk and File Systems for Incident Responders. Low level details of the NT file system. Associated artifacts of the operating system. Windows registry, Master Boot Records, BIOS, and UEFI (firmware drivers).

  4. Network Reverse Engineering for Incident Responders. Using Wireshark to quickly organize views of network events. Writing logic to dissect unknown network protocols using Python and Scapy.

  5. Mobile Device Forensics. Analysis of an Android-based mobile device. How to view the file structure and discover features normally hidden from the user.

Day 2 Outline

  1. Memory Space: The Final Frontier. Issues with acquisition of a memory image from a live system. Layout of memory in Windows. Examination of memory contents. Use of Memorize and Audit Viewer. Hands-on memory acquisition. Analysis of memory image.

  2. File Carving and PDF, Java, Flash, and Windows PE reverse engineering. Reasons for file carving. Discovery and reassembly of file fragments. Examination of PDF, Java, Flash, PE file format. Malicious PDF, Java, Flash, PE analysis.

  3. Embedded Protocol Analysis & Attack Situational Awareness. Introduction to custom hardware protocols. Creative techniques for situational awareness from both an attacker and defender’s perspective.

  4. Mobile Malware. Introduction to mobile malware and the features that make it different from other classes of malware. Discussion of the challenges of detecting malware on mobile devices.


Attendees will require a basic understanding of computer systems, networks and general cyber security concepts. Workstations and the EnCase Enterprise suite will be provided for the attendees – no personal hardware or software is required.

About the Instructors:

Mr. Kevin Nauer is a member of technical staff at Sandia and has over ten years experience in conducting forensic analysis and leading a team of analysts to conduct incident response operations. Kevin has been leading a development effort for the past three years to develop a framework to support collaborative cyber security incident response operations. Kevin holds a B.S. and M.S in computer science, and he has also served as a Captain in the US Army Intelligence and Security Command where he helped form a new organization to support national intelligence operations integrating computer forensic analysis techniques.

Mr. Ben Anderson is a member of technical staff at Sandia and has conducted research in virtualization and SSD Forensics. He holds a master's degree in computer engineering from Iowa State University and previously served in the Marines Corps as a member of their Fleet Antiterrorism Security Team Co.

Mr. Theodore Reed is a member of technical staff at Sandia and has focused on red team assessments and high-fidelity modeling and simulation of cyber systems.


Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC